64896cf157af46d6f6047ba3c9af1100b46bf759a8f42b11e0be242a7addc8d6

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

875KB
MD5

07d0844764c87a54283bee44be2c9a49
SHA1

98df3eae95b2e876781769584227bc6f19a8e3f1
SHA256

4e75ade8d0890e8228195a80ea21767368fe5da226f09a2bc1bfd943d004da15
SHA512

7e655608fe47d644e561255507f8a960b5a9bdb94b29c00bd016fb293030d13db5fad06dfd5e417f9645242e56af8ebadd17eec073b4705bd95ed001a7ea7cd6
SSDEEP

24576:V5zjx1WxKnEfF7QLAUos789H9dbK3DxEXcF7I:V5D8cD3sCxXI

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2716	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid	Process
2716	AcroRd32.exe
2716	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 2136	2232	cmd.exe	31
PID 2232 wrote to memory of 2136	2232	cmd.exe	31
PID 2232 wrote to memory of 2136	2232	cmd.exe	31
PID 2136 wrote to memory of 2716	2136	rundll32.exe	32
PID 2136 wrote to memory of 2716	2136	rundll32.exe	32
PID 2136 wrote to memory of 2716	2136	rundll32.exe	32
PID 2136 wrote to memory of 2716	2136	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c04e86900366c744433a26eeb6b4c8c4

SHA1
3b859458ed09291ddedf0543ad4ee66b74df82d4

SHA256
2dab71d26457a51bbafb1dff0faf04eccc9fd934cf9835a44eaed821aad7fcf5

SHA512
6d7b33a9ea1500f571e983d0955d6b1f350f18a90eb1972511d010e4f65a55b69d0819683cb2c58e912dd91c7c2f7bc7cc916eb9dc197dc1203eb561b4bb5be2

Download Submit